Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
IcedID first emerged in 2017 as a capable, widely observed banking trojan. Beginning in 2020, IcedID was identified as a precursor to ransomware attacks such as Egregor, Maze and Conti and has historically utilized email as its delivery vector.
In December 2022, TRU began observing IcedID infections that were traced to payloads downloaded by users from the Internet. This observation coincided with a general uptick in successful IcedID infections in Q4 of 2022, which saw 35% percent of IcedID incidents for the period between January 2022 and January 2023 (Figure 1).
The activity in Q4 2022 was a mixture of email and drive-by infections. However, since mid-late December 2022, observed IcedID infections have originated exclusively via drive-by attacks, specifically Google Search Ads targeting common applications.
Google Search Ad Abuse
Malicious Google Search Ads are nothing new, but TRU has observed an increase in their use to deliver information stealing malware and IcedID in 2022 and 2023. For IcedID specifically, TRU has observed malicious ads targeting applications such as Slack, Docker, TeamViewer, Microsoft Teams, Basecamp and Adobe Reader (among others), as seen in Figure 2.
Search ads utilize the auction-based Pay-Per-Click (PPC) model. Advertisers can enter a maximum bid for certain search keywords to display their ad so long as their bid is more than another advertiser’s bid. Additionally, Ads Keyword Planner, a free tool, provides an estimate for top of page bids where an advertiser can ensure their ad is shown at the top of the search results for specific keywords (usually at a premium).
For example, as of January 2023, one would need to place a maximum bid of $4.30 per click to have an ad displayed at the top of a search for “slack download”. Therefore, a top of page ad bid for 1000 clicks could cost between $1330 and $4300 USD. This cost is unlikely to be a significant barrier to threat actors who are likely using stolen payment data.
Abusing search ads also provides some degree of curation in terms of ideal targets. This is reflected by both the keywords targeted (primarily software used in corporate environments) and audience segments, which includes detailed demographics, interests, intents and other attributes estimated by Google (Figure 3).
Google does use a review process for new ads to ensure compliance with their ad policy, including malicious software. It’s not immediately clear how threat actors are circumventing these compliance checks.
Cloaking is a common tactic used to hide malicious content from all but the intended victim. An example of traffic redirection can be seen in Figure 2 above, where slackapp[.]tech is the ad link, but the final content is hosted on wvwslack[.]top. Another example can be seen in Figures 4 and 5 below, where a download page impersonating Docker leads to the legitimate Docker binary. However, in a subsequent review, the page leads to an IcedID payload host on Google FireBase storage.
IcedID to Cobalt Strike Handoff
In mid-January 2023, a customer endpoint became infected with IcedID originating from a website masquerading as Adobe Reader. The victim arrived on the website (vwv-adobe[.]top) from clicking a Google Search Ad for Adobe software (Figure 6).
The setup file (6718a804f5d5064fa3b918d844fd727d) is padded to inflate its size to over 700MB to inhibit automated inspection. When executed, IcedID executes an initial round of reconnaissance commands and initiates a check-in with the C2 (qsertopinajil[.]com), as seen in Figure 7.
The living-off-the-land reconnaissance commands used are not indifferent than what TRU has observed with malware whose objective is delivering footholds to hands-on-keyboard adversaries. The output from these commands provides a quick summary of the foothold’s worth and is likely used to triage and prioritize the most valuable footholds.
WMIC /Node:localhost /Namespace:\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List ipconfig /all systeminfo net config workstation nltest /domain_trusts nltest /domain_trusts /all_trusts net view /all /domain net view /all net group "Domain Admins" /domain
Within 30 minutes, IcedID attempted to execute a PowerShell script (ozye.txt) using fodhelper.exe to bypass UAC but was blocked from doing so.
Our team of 24/7 SOC Cyber Analysts retrieved the PowerShell script from the system and determined it contained a Cobalt Strike Beacon loader (f36c8d12db66730f3cf94d28331b90ac) configured to spawn and inject into a child PowerShell process. The beacon was configured to communicate with poasnm[.]com using HTTP and spawn using regsvr32.exe.
Our SOC identified suspicious reconnaissance activity on a customer endpoint and immediately notified the customer while an investigation took place. The case was escalated when the blocked Cobalt Strike activity occurred and the system was immediately contained.
What can you learn from this TRU positive?
- Drive-by cyberattacks are on the rise. These cyberattacks rely on social engineering techniques over software exploits.
- IcedID is unlikely to be the last email-borne threat to shift delivery methods and tactics. As email defenses improve, you should expect drive-by attacks to become more abundant.
- Broad targeting of targets that are ideal for fraud and/or extortion attacks is made possible by abusing marketing tools available in ad platforms.
- IcedID is no longer exclusively a banking trojan. Like other former bankers (e.g., Qakbot), an IcedID foothold can be weaponized for initial access into the network.
- In the case mentioned above, an attempt was made to weaponize the foothold within 30 minutes.
Recommendations from our Threat Response Unit (TRU):
General Guidance for Users:
- Prioritize application installs from your organization’s library of approved applications (if implemented).
- Treat files downloaded from the Internet with the same vigilance as those delivered through email. Assume files are potentially hostile regardless of the path that got you there. Remember, a website hosting software advertised on a trusted search engine does not inherit that trust.
- Verify the source of the file:
- Examine the URL – does it match the expected website for the application? Look for typos or other odd characters (wvw-slack[.]com vs slack.com).
- When in doubt, browse to the company’s website and locate their downloads page.
- Examine the file:
- Legitimate software downloads are unlikely to be password-protected.
- Examine the file extension. Files ending with .iso, .vbs, .lnk or .js are all unlikely to be legitimate.
Guidance for IT:
- Ensure employees have access to a dedicated software center to download corporate-approved software.
- Raise awareness of malware masquerading as legitimate applications, and include relevant examples within your Phishing and Security Awareness Training (PSAT) program to educate your employees on how to protect themselves against similar cyber threats.
- Audit your environment regularly to ensure all endpoints are patched with the latest vendor security updates.
- Protect endpoints against malware by:
- Ensuring antivirus signatures are up-to-date.
- Using a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) tool to detect and contain threats.
Indicators of Compromise
| Indicator | Note |
| www-goto-com[.]top | IcedID Download Page |
| www-onenote-us[.]top | |
| www-fortinet-com[.]top | |
| www-irsform-com[.]top | |
| www-discord-us[.]top | |
| ww-citrixcom[.]top | |
| wvw-basecamp-us[.]com | |
| wvw-docker-us[.]com | |
| wvw-microsofteams[.]top | |
| wvw-mlcrosofteams[.]top | |
| vwv-adobe[.]top | |
| mlcrosofteams[.]top | |
| www-docker[.]top | |
| www-teamviewer[.]top | |
| wvw-slack-us[.]com | |
| wvwslack[.]top | |
| wvw-teanviwer-us[.]com | |
| wvw-webex-us[.]com |
eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
